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5) Q Claim(s) is/are allowed. 
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Response to Arguments 

Applicant's arguments with respect to claims 1-45 have been considered but are 
moot in view of the new ground(s) of rejection. 

Claim Objections 

Claim 23 is objected to because of the following informalities: Claim 23 depends 
from claim 23, a claim cannot depend on itself. Appropriate correction is required. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-3, 5-6, 7-8, 10-38, and 43 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Billhartz (US 6,986,161) in view of Ammon et al. - hereinafter 

Ammon (US 2003/0217289). 

As per claims 1, 13, and 25 and 35, Billhartz discloses a method, comprising: 
receiving node information for a node coupled to a computer network; (Col 4 
lines 4-13) 

determining whether to issue an alarm indicating a network intrusion responsive 
to receiving the node information by comparing a unique identifier included in said node 
information to a database (Col 4 lines 4-13) 
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automatically linking at least a portion of said node information to an existing 
database entry in the database and not issuing the alarm when the comparison 
indicates a tracked entity that corresponds to the node issuing the alarm indicating the 
network intrusion and (Col 4 lines 4-13) 

Billhartz fails to disclose creating a new database entry when the comparison 
indicates that the node is a new entity. Ammon discloses creating a new database 
entry when the comparison indicates that the node is a new entity. ([0023]) At the time 
the invention was made, it would have been obvious to a person of ordinary skill in the 
art to creating a new database entry when the comparison indicates that the node is a 
new entity in the disclosure of Billhartz. The motivation for doing do would have been 
to discover both authorized and unauthorized access points and authorized and 
unauthorized client machines that may be trying to connect to the wireless network. 
([0023]) 

As per claim 2, Billhartz / Ammon disclose the method of claim 1 , and Billhartz 
discloses further comprising analyzing the node information to select the unique 
identifier; wherein the selected unique identifier is not a network address such that a 
false alarm is not sent regardless of whether the node is subject to dynamic address 
assignment. (Col 4 lines 4-13, Col 6 lines 5-16; The data link layer further includes 
media access control (MAC) and logical link control sub-layers. In accordance with the 
invention, the nodes 11, 12 preferably use the MAC layer for transmitting data 
therebetween, and each has a respective MAC addresses associated therewith, Col 9 
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lines 23-33, Col 1 1 lines 12-22; discloses unique identifier as a MAC address and reads 
on claim limitations not a network address such that a false alarm is not sent regardless 
of whether the node is subject to dynamic address assignment) 

As per claim 3, Billhartz / Ammon disclose the method of claim 2. Billhartz 
discloses wherein the alarm is not issued when the comparison indicates the tracked 
entity that corresponds to the node regardless of whether the node information identifies 
an unlisted Internet Protocol (IP) address that is absent from the database at a time that 
the node information is received. (Col 4 lines 4-13, Col 1 1 lines 12-22; A further 
advantage of the invention is that it may be used to supplement existing intrusion 
detection systems, particularly those that focus on intrusion in the upper OSI network 
layers; upper OSI network layers includes the network layer (layer 3) which examines 
the IP address) 

As per claim 5, Billhartz / Ammon disclose the method of claim 1 . Billhartz 
discloses the method of Claim 1 , further comprising: 

analyzing the node information to select the unique identifier; wherein the 
selected unique identifier is not based solely on an IP address such that the 
determination of whether the alarm is sent is independent of whether the node is subject 
to static or dynamic address assignment. (Col 9 lines lines 23-33, Col 1 1 lines 12-22, 
discloses unique identifier as a MAC address and an authorized network in addition to 
ip address as in upper OSI network layers) 
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As per claim 6, Billhartz / Ammon disclose the method of claim 5. Billhartz fails to 
disclose wherein the unique identifier is a combination of a physical address and a 
network address for the node. Ammon discloses wherein the unique identifier is a 
combination of a physical address and a network address for the node. ([01 17],[01 18]) 
At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to disclose wherein the unique identifier is a combination of a physical 
address and a network address for the node in the disclosure of Ammon. The 
motivation for doing do would have been to store the results of that monitoring, 
processes the results to determine whether any unauthorized access of the wireless 
network of interest has occurred, and notifies users of the results and the processing. 
([0012]) 

As per claim 7, Billhartz / Ammon disclose the method of claim 5. Billhartz 
discloses wherein the unique identifier that is compared to the database includes a 
domain name associated with the node. (Col 11 lines 12-22; authorized network as 
domain name) Billhartz fails to disclose wherein the unique identifier that is compared 
to the database includes a domain name associated with the node, a computer name 
associated with the node and one other value associated with the node. Aamon 
discloses wherein the unique identifier that is compared to the database includes a 
domain name associated with the node, a computer name associated with the node and 
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one other value associated with the node. ([01 1 7],[01 1 8]) At the time the invention 
was made, it would have been obvious to a person of ordinary skill in the art to disclose 
wherein the unique identifier that is compared to the database includes a domain name 
associated with the node, a computer name associated with the node and one other 
value associated with the node in the disclosure of Ammon. The motivation for doing do 
would have been to store the results of that monitoring, processes the results to 
determine whether any unauthorized access of the wireless network of interest has 
occurred, and notifies users of the results and the processing. ([0012]) 

As per claims 8 and 32, Billhartz / Aamon disclose the method of claim 7. 
Billhartz fails to disclose wherein the other value is a security identifier, a serial number 
or a physical address. Aamon discloses wherein the other value is a security identifier, 
a serial number or a physical address. ([01 17]-[01 18]) At the time the invention was 
made, it would have been obvious to a person of ordinary skill in the art to disclose 
wherein the other value is a security identifier, a serial number or a physical address in 
the disclosure of Ammon. The motivation for doing do would have been to store the 
results of that monitoring, processes the results to determine whether any unauthorized 
access of the wireless network of interest has occurred, and notifies users of the results 
and the processing. ([0012]) 

As per claims 10 and 29, Billhartz / Aamon disclose the method of claim 1. 
Billhartz fails to disclose wherein said entity is a computer system running a particular 
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operating system. Aamon discloses wherein said entity is a computer system running a 
particular operating system. ([0055]) At the time the invention was made, it would have 
been obvious to a person of ordinary skill in the art to disclose wherein said entity is a 
computer system running a particular operating system. The motivation for doing do 
would have been to store the results of that monitoring, processes the results to 
determine whether any unauthorized access of the wireless network of interest has 
occurred, and notifies users of the results and the processing. ([0012]) 

As per claim 11, Billhartz/ Aamon disclose the method of claim 1, and Billhartz 
discloses wherein said entity is a user of said computer network. (Col 7 lines 54-63) 

As per claim 12, Billhartz/ Aamon disclose the method of claim 1, and Billhartz 
discloses wherein said entity is a computer system. (Col 6 lines 29-36) 

As per claim 14, Billhartz / Aamon disclose the apparatus of claim 1 3. Billhartz 
discloses wherein the selected value is not based on an Internet Protocol (IP) address 
such the node can be correlated to one of the tracked entities. (Col 11 lines 12-22) 
Billhartz fails to disclose wherein the selected value is not based on an Internet Protocol 
(IP) address such the node can be correlated to one of the tracked entities when the 
node is subject to dynamic IP address assignment. ([0161] At the time the invention 
was made, it would have been obvious to a person of ordinary skill in the art to disclose 
wherein the selected value is not based on an Internet Protocol (IP) address such the 
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node can be correlated to one of the tracked entities when the node is subject to 
dynamic IP address assignment in the disclosure of Billhartz. The motivation for doing 
do would have been to store the results of that monitoring, processes the results to 
determine whether any unauthorized access of the wireless network of interest has 
occurred, and notifies users of the results and the processing. ([0012]) 

As per claim 1 5, Billhartz/ Aamon disclose the apparatus of claim 1 3, and Billhartz 
discloses wherein the selected value is based on a physical address for the node when 
a security identifier is unavailable. (Col 6 lines 5-16; security identifier is unavailable in 
this case) 

As per claim 16, Billhartz / Aamon disclose the apparatus of claim 13, and 
Billhartz discloses wherein the selected value is based on a physical address for the 
node when a serial number is unavailable. (Col 6 lines 5-16; serial number is 
unavailable in this case) 

As per claim 17, Billhartz / Aamon disclose the apparatus of claim 13, and 
Billhartz discloses wherein the selected value is based on a physical address for the 
node when a different preferred identifier is unavailable. (Col 6 lines 5-16; different 
preferred identifier is unavailable in this case) 
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As per claim 18, Billhartz / Aamon disclose the apparatus of claim 13, and 
Billhartz discloses wherein the selected value is based on both a physical address and 
a network address when a different preferred identifier is unavailable. (Col 6 lines 5-16; 
different preferred identifier is unavailable in this case, the remaining layers of the OSI 
model may also be used for data transmission as well, and other suitable network data 
transfer models may also be used , and that includes the network layer for IP or network 
address) 

As per claim 19, Billhartz / Aamon disclose the apparatus of claim 13, wherein the 
selected value is either not a network address or is a combination of the network 
address and a globally unique identifier. (Col 6 lines 5-16) 

As per claim 20, Billhartz/ Aamon disclose the apparatus of claim 13, and 
Billhartz discloses the selected value is not based on an IPv4 address such the node 
can be correlated to one of the tracked entities. (Col 6 line 5-16; based on MAC 
address) Billhartz fails to disclose the selected value is not based on an IPv4 address 
such the node can be correlated to one of the tracked entities even when the node is 
subject to dynamic IPv4 address assignment. Aamon disclose the selected value is not 
based on an IPv4 address such the node can be correlated to one of the tracked 
entities even when the node is subject to dynamic IPv4 address assignment. ([0161]) 
At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to disclose the selected value is not based on an IPv4 address such the 
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node can be correlated to one of the tracked entities even when the node is subject to 
dynamic IPv4 address assignment. The motivation for doing do would have been to 
store the results of that monitoring, processes the results to determine whether any 
unauthorized access of the wireless network of interest has occurred, and notifies users 
of the results and the processing. ([0012]) 

As per claim 21 , Billhartz/ Aamon disclose the apparatus of claim 1 3. Billhartz 
discloses wherein the processors are further operable to: 

select either a security identifier provided by an operating system of the node or 
a serial number provided by a basic input output system of the node for the value when 
the received node information includes either the security identifier or the serial number; 
(Col 3 lines 10-22) 

and select a physical address for the value when the received node information 
does not include either the security identifier or the serial number. (Col 6 lines 5-16; 
security identifier or serial identifier is unavailable in this case) 

As per claim 22, Billhartz/ Aamon disclose the apparatus of claim 13. Billhartz 
discloses wherein the processors are further operable to trigger issuance of an intrusion 

alarm when the node does not correspond to one of the tracked entities. (Col 4 lines 4- 
13) 
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As per claim 23, Billhartz/ Aamon disclose the apparatus of claim 23. Billhartz 
discloses wherein issuance of a false alarm is avoided when the received node 
information is linked to an existing entry in the database. (Col 4 lines 4-13) 

As per claim 24, Billhartz / Aamon disclose the apparatus of claim 13. Billhartz 
discloses wherein the processors are further operable to use adaptive scanning before 
determining whether to issue an alarm. (Col 4 lines 4-13) 

As per claim 26, Billhartz / Aamon disclose the method of claim 25. Billhartz 
discloses wherein said multiple identifiers comprise a media access control (MAC) 
address (Col 6 line 5-16) 

As per claim 27, Billhartz/ Aamon disclose the method of claim 25. Billhartz 
disclose wherein said multiple identifiers further comprise a computer name. (Col 3 
lines 10-22) 

As per claim 28, Billhartz/ Aamon disclose the method of claim 27. Billhartz 
discloses wherein said multiple identifiers further comprise a domain name. (Col 11 
lines 12-22; authorized network as domain name) 

As per claim 30, Billhartz/ Aamon disclose the method of claim 28. Billhartz 
disclose wherein said multiple identifiers comprise at least two of: a media access 
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control (MAC) address, a computer name, a domain name, and an operating system. 
(Col 11 lines 12-22, authorized network as domain name) 



As per claim 31 , Billhartz/ Aamon disclose the method of claim 25. Billhartz 
discloses wherein said unique identifier comprises a security identifier. (Col 3 lines 10- 
22) 

As per claim 33, Billhartz/ Aamon disclose the method of claim 25. Billhartz 
discloses further comprising: returning an identifier for an entity in response to a request 
including a node identifier. (Col 1 lines 38-52) 

As per claim 34, Billhartz/ Aamon disclose the method of claim 25. Billhartz 
discloses further comprising: returning identifiers for all nodes associated with an entity 
in response to a request including an entity identifier. (Col 4 lines 4-13) 

As per claim 35, Billhartz/ Aamon disclose the method of claim 25. Billhartz 
discloses further comprising: returning node information in response to a request for 
said node information including a node identifier. (Col 4 lines 4-13) 

As per claim 37, Billhartz/ Aamon disclose the system for tracking entities in a 
computer network of claim 36, and Billhartz discloses further comprising means for 
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determining if the unique identifier from said node information matches a unique 
identifier in said database. (Col 4 lines 4-13) 

As per claim 38, the system for tracking entities in a computer network of 
Claim 36, further comprising means for determining if a media access control (MAC) 
address from said node information matches a MAC address in said database, if there 
is not the unique identifier in said node information. (Col 4 lines 4-13) 

As per claim 43, Billhartz/Aamon disclose the same limitations as claim 1 , and 
Billhartz further discloses wherein said engine is further operable to determine if a 
media access control (MAC) address from said node information matches a MAC 
address in said database, if there is not a unique identifier in said node information. 
(Col 4 lines 4-13, Col 6 lines 5-16) 

Claims 39-40 and 44-45 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Billhartz (US 6,986,161) / Ammon (US 2003/0217289) further in view 
of Short et al. - hereinafter Short (US 7,194,554) 

As per claims 39 and 44, Billhartz/Aamon disclose the system for tracking entities 
in a computer network of Claim 36. Billhartz fails to disclose further comprising means 
for determining if a computer name from said node information matches a computer 
name associated with said MAC address in said database. Short discloses further 
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comprising means for determining if a computer name from said node information 
matches a computer name associated with said MAC address in said database. (Col 9 
lines 8-26; Col 10 lines 9-37) At the time the invention was made, it would have 
been obvious to a person of ordinary skill in the art to disclose further comprising means 
for determining if a computer name from said node information matches a computer 
name associated with said MAC address in said database in the disclosure of Billhartz. 
The motivation for doing do would have been to for selectively implementing and 
enforcing Authentication, Authorization and Accounting (AAA) of users accessing a 
network via a gateway device. (Col 3 lines 9-44) 

As per claims 40 and 45, Billhartz/Aamon disclose the system for tracking entities 
in a computer network of claim 36. Billhartz fails to disclose means for determining if a 
computer name from said node information matches a computer name in said 
database; and means for determining if a domain name from said node information 
matches a domain name associated with said computer name in said database. Short 
discloses means for determining if a computer name from said node information 
matches a computer name in said database; and means for determining if a domain 
name from said node information matches a domain name associated with said 
computer name in said database. (Col 9 lines 8-26; Col 10 lines 9-37) At the time 
the invention was made, it would have been obvious to a person of ordinary skill in the 
art to disclose means for determining if a computer name from said node information 
matches a computer name in said database; and means for determining if a domain 
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name from said node information matches a domain name associated with said 
computer name in said database in the disclosure of Billhartz. The motivation for doing 
do would have been to for selectively implementing and enforcing Authentication, 
Authorization and Accounting (AAA) of users accessing a network via a gateway device. 
(Col 3 lines 9-44) 

Allowable Subject Matter 

Claims 4 and 9 are objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the limitations of 
the base claim and any intervening claims. 

The following is a statement of reasons for the indication of allowable subject 
matter: Billhartz was relied upon per Col 2 lines 25-30, "provide a mobile ad-hoc 
network (MANET) with intrusion detection features and related methods." Ammon was 
relied upon to disclose per [01 18], "This process checks the new IDS events and adds 
new unknown clients to the database according to the above schema. Information about 
the unknown clients that is entered into the database can include the MAC address, 
SSID, IP address, channel, signal strength, and WEP status" 

As per claims 4 and 9, a thorough review of prior art fails to disclose specific 
conditions of "selecting a security identifier provided by an operating system of the node 
as the unique identifier when the analysis indicates that the node information includes 
the security identifier; selecting a serial number provided by a basic input output system 
of the node as the unique identifier when the analysis indicates that the node 
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information does not include the security identifier; and selecting a physical address as 
the unique identifier when the analysis indicates that the node information does not 
include either of the security identifier and the serial number." 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Chirag R Patel whose telephone number is (571)272- 
7966. The examiner can normally be reached on Monday to Friday from 7:30AM to 
4:00PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Rupal Dharia, can be reached on (571) 272-3880. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see 
http://pairdirect.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 
(toll free). 

Chirag Patel 




Patent Examiner 



^ JASON CARDONE 
SUPERVISORY PATENT EXAMINER 




CP. 



